Thank you very much for your helpful reply. I’m a graphics programmer with no experience in PGP. The shell script I have calls: OPENSSL_ARCHIVE_URL="https://www.openssl.org/source/old/${BRANCH}/${OPENSSL_ARCHIVE_FILE_NAME}” in the process of downloading OpenSSL for use in building an iOS static implementation. Does https have a reasonable level of security? I believe I can include a block of code in the script to do a checksum.
> On Sep 12, 2018, at 1:42 PM, Michael Wojcik <michael.woj...@microfocus.com> > wrote: > >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf >> Of Matt Caswell >> Sent: Wednesday, September 12, 2018 14:29 >> >> On 12/09/18 19:24, Chris Outwin wrote: >>> I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for >> receipt validation in an iOS application. >>> >>> Is there a list of checksums to verify openssl download versions? >> >> Next to each download on the website there are links for SHA256/PGP/SHA1 >> checksums. >> >> https://www.openssl.org/source/ > > I'd strongly recommend verifying the PGP (OpenPGP, gpg) signature on the > tarball. The signature files are right there alongside the tarballs. > > If you're new to gpg (or whatever OpenPGP implementation of your choice), > there's a bit of learning and setup to do: you'll need to fetch the > appropriate key from a public keyserver or other trustworthy (-ish) source to > fully verify the signature, and you'll probably want to mark the key as > trusted so the output from gpg is clear. > > But once you've done that, it's very easy to verify the signature, and to > automate the process if you prefer. And the signatures add a bit of > defense-in-depth because publishing a tampered-with tarball would require > subverting the private key as well as to the OpenSSL web server. (If you're > just checking the SHA256 hash, an attacker could either get access to the > OpenSSL web server, or force you to a counterfeit server, for example via DNS > cache poisoning. And due to the systemic brokenness of the web PKI, it's > pretty easy to fool a lot of people with a counterfeit server.) > > So do the work now to set yourself up for verifying the signature, and > inculcate a good habit. > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
